<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>The OpenID Connect Provider | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'oidc-guide-op.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/oidc-guide-op.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/oidc-guide-op.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/oidc-guide-op.html" rel="nofollow" target="_blank">../en/oidc-guide-op.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="oidc-guide.html">Configuring single sign-on to the Elastic Stack using OpenID Connect</a></span>
»
<span class="breadcrumb-node">The OpenID Connect Provider</span>
</div>
<div class="navheader">
<span class="prev">
<a href="oidc-guide.html">« Configuring single sign-on to the Elastic Stack using OpenID Connect</a>
</span>
<span class="next">
<a href="oidc-guide-authentication.html">Configure Elasticsearch for OpenID Connect authentication »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="oidc-guide-op"></a>The OpenID Connect Provider<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/oidc-guide.asciidoc">edit</a>
</h2>
</div></div></div>
<p>The OpenID Connect Provider (OP) is the entity in OpenID Connect that is responsible for
authenticating the user and for granting the necessary tokens with the authentication and
user information to be consumed by the Relying Parties.</p>
<p>In order for the Elastic Stack to be able use your OpenID Connect Provider for authentication,
a trust relationship needs to be established between the OP and the RP. In the OpenID Connect
Provider, this means registering the RP as a client. OpenID Connect defines a dynamic client
registration protocol but this is usually geared towards real-time client registration and
not the trust establishment process for cross security domain single sign on. All OPs will
also allow for the manual registration of an RP as a client, via a user interface or (less often)
via the consumption of a metadata document.</p>
<p>The process for registering the Elastic Stack RP will be different from OP to OP and following
the provider’s relevant documentation is prudent. The information for the
RP that you commonly need to provide for registration are the following:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<code class="literal">Relying Party Name</code>: An arbitrary identifier for the relying party. Neither the specification
nor the Elastic Stack implementation impose any constraints on this value.
</li>
<li class="listitem">
<code class="literal">Redirect URI</code>: This is the URI where the OP will redirect the user’s browser after authentication. The
appropriate value for this will depend on your setup and whether or not Kibana sits behind a proxy or
load balancer. It will typically be <code class="literal">${kibana-url}/api/security/oidc/callback</code> (for the authorization code flow) or <code class="literal">${kibana-url}/api/security/oidc/implicit</code> (for the implicit flow) where <em>${kibana-url}</em>  is the base URL for your Kibana instance. You might also see this
called <code class="literal">Callback URI</code>.
</li>
</ul>
</div>
<p>At the end of the registration process, the OP will assign a Client Identifier and a Client Secret for the RP (Elastic Stack) to use.
Note these two values as they will be used in the Elasticsearch configuration.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="oidc-guide.html">« Configuring single sign-on to the Elastic Stack using OpenID Connect</a>
</span>
<span class="next">
<a href="oidc-guide-authentication.html">Configure Elasticsearch for OpenID Connect authentication »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>